What is the CVSS score of CVE-2026-26308?

CVE-2026-26308 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Envoy are affected by CVE-2026-26308?

Envoy proxy deployments are vulnerable to authentication bypass through a logic flaw in the RBAC filter when processing HTTP headers with multiple values, potentially allowing unauthorized access to…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26308?

Yes, a public proof-of-concept exploit is available for CVE-2026-26308. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-26308?

Within 24 hours: Inventory all Envoy deployments and verify affected versions (pre-1.37.1, pre-1.36.5, pre-1.35.8, pre-1.34.13). Within 7 days: Apply available vendor patches to all affected instances, starting with production environments. Within 30 days: Complete patching across all Envoy deployments in development, staging, and non-production environments; conduct access log review for potential exploitation attempts.

Envoy CVE-2026-26308

HIGH

Incorrect Authorization (CWE-863)

2026-03-10 security-advisories@github.com

GHSA-ghc4-35x6-crw5

Authentication Bypass Envoy

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 11, 2026 - 16:23 vuln.today

Public exploit code

Patch released

Mar 11, 2026 - 16:23 nvd

Patch available

CVE Published

Mar 10, 2026 - 20:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies-specifically "Deny" rules-by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

AnalysisAI

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating each value individually, allowing attackers to bypass "Deny" access control policies through header manipulation. This vulnerability affects Envoy versions prior to 1.34.13, 1.35.8, 1.36.5, and 1.37.1, and public exploit code exists. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request with duplicate headers

Exploit

Envoy concatenates values into comma-separated string

Execution

RBAC Deny rule bypassed via obscured value

Impact

Access unauthorized resource

Access

Send HTTP request with duplicate headers

Exploit

Envoy concatenates values into comma-separated string

Execution

RBAC Deny rule bypassed via obscured value

Impact

Access unauthorized resource

Vulnerability AssessmentAI

Exploitation	Envoy proxy version prior to 1.37.1, 1.36.5, 1.35.8, or 1.34.13 with RBAC filter enabled and Deny rules configured for HTTP header exact-match validation. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, eff.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Envoy deployments and verify affected versions (pre-1.37.1, pre-1.36.5, pre-1.35.8, pre-1.34.13). …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-26308 vulnerability details – vuln.today

Back

Envoy CVE-2026-26308

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code